| Message ID | 20190206162452.7749-6-roberto.sassu@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | tpm: retrieve digest size of unknown algorithms from TPM | expand |
On Wed, Feb 6, 2019 at 10:30 AM Roberto Sassu <roberto.sassu@huawei.com> wrote: > > When crypto agility support will be added to the TPM driver, users of the > driver have to retrieve the allocated banks from chip->allocated_banks and > use this information to prepare the array of tpm_digest structures to be > passed to tpm_pcr_extend(). > > This patch retrieves a tpm_chip pointer from tpm_default_chip() so that the > pointer can be used to prepare the array of tpm_digest structures. > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > --- > security/keys/trusted.c | 38 ++++++++++++++++++++++++-------------- > 1 file changed, 24 insertions(+), 14 deletions(-) > > diff --git a/security/keys/trusted.c b/security/keys/trusted.c > index 4d98f4f87236..5b852263eae1 100644 > --- a/security/keys/trusted.c > +++ b/security/keys/trusted.c > @@ -34,6 +34,7 @@ > > static const char hmac_alg[] = "hmac(sha1)"; > static const char hash_alg[] = "sha1"; > +static struct tpm_chip *chip; > > struct sdesc { > struct shash_desc shash; > @@ -362,7 +363,7 @@ int trusted_tpm_send(unsigned char *cmd, size_t buflen) > int rc; > > dump_tpm_buf(cmd); > - rc = tpm_send(NULL, cmd, buflen); > + rc = tpm_send(chip, cmd, buflen); > dump_tpm_buf(cmd); > if (rc > 0) > /* Can't return positive return codes values to keyctl */ > @@ -384,10 +385,10 @@ static int pcrlock(const int pcrnum) > > if (!capable(CAP_SYS_ADMIN)) > return -EPERM; > - ret = tpm_get_random(NULL, hash, SHA1_DIGEST_SIZE); > + ret = tpm_get_random(chip, hash, SHA1_DIGEST_SIZE); > if (ret != SHA1_DIGEST_SIZE) > return ret; > - return tpm_pcr_extend(NULL, pcrnum, hash) ? -EINVAL : 0; > + return tpm_pcr_extend(chip, pcrnum, hash) ? -EINVAL : 0; > } > > /* > @@ -400,7 +401,7 @@ static int osap(struct tpm_buf *tb, struct osapsess *s, > unsigned char ononce[TPM_NONCE_SIZE]; > int ret; > > - ret = tpm_get_random(NULL, ononce, TPM_NONCE_SIZE); > + ret = tpm_get_random(chip, ononce, TPM_NONCE_SIZE); > if (ret != TPM_NONCE_SIZE) > return ret; > > @@ -496,7 +497,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype, > if (ret < 0) > goto out; > > - ret = tpm_get_random(NULL, td->nonceodd, TPM_NONCE_SIZE); > + ret = tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE); > if (ret != TPM_NONCE_SIZE) > goto out; > ordinal = htonl(TPM_ORD_SEAL); > @@ -606,7 +607,7 @@ static int tpm_unseal(struct tpm_buf *tb, > > ordinal = htonl(TPM_ORD_UNSEAL); > keyhndl = htonl(SRKHANDLE); > - ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE); > + ret = tpm_get_random(chip, nonceodd, TPM_NONCE_SIZE); > if (ret != TPM_NONCE_SIZE) { > pr_info("trusted_key: tpm_get_random failed (%d)\n", ret); > return ret; > @@ -751,7 +752,7 @@ static int getoptions(char *c, struct trusted_key_payload *pay, > int i; > int tpm2; > > - tpm2 = tpm_is_tpm2(NULL); > + tpm2 = tpm_is_tpm2(chip); > if (tpm2 < 0) > return tpm2; > > @@ -920,7 +921,7 @@ static struct trusted_key_options *trusted_options_alloc(void) > struct trusted_key_options *options; > int tpm2; > > - tpm2 = tpm_is_tpm2(NULL); > + tpm2 = tpm_is_tpm2(chip); > if (tpm2 < 0) > return NULL; > > @@ -970,7 +971,7 @@ static int trusted_instantiate(struct key *key, > size_t key_len; > int tpm2; > > - tpm2 = tpm_is_tpm2(NULL); > + tpm2 = tpm_is_tpm2(chip); > if (tpm2 < 0) > return tpm2; > > @@ -1011,7 +1012,7 @@ static int trusted_instantiate(struct key *key, > switch (key_cmd) { > case Opt_load: > if (tpm2) > - ret = tpm_unseal_trusted(NULL, payload, options); > + ret = tpm_unseal_trusted(chip, payload, options); > else > ret = key_unseal(payload, options); > dump_payload(payload); > @@ -1021,13 +1022,13 @@ static int trusted_instantiate(struct key *key, > break; > case Opt_new: > key_len = payload->key_len; > - ret = tpm_get_random(NULL, payload->key, key_len); > + ret = tpm_get_random(chip, payload->key, key_len); > if (ret != key_len) { > pr_info("trusted_key: key_create failed (%d)\n", ret); > goto out; > } > if (tpm2) > - ret = tpm_seal_trusted(NULL, payload, options); > + ret = tpm_seal_trusted(chip, payload, options); > else > ret = key_seal(payload, options); > if (ret < 0) > @@ -1225,17 +1226,26 @@ static int __init init_trusted(void) > { > int ret; > > + chip = tpm_default_chip(); > + if (!chip) > + return -ENOENT; This change causes a regression loading the encrypted_keys module on systems that don't have a tpm. Module init functions should not have hardware dependencies. The effect is that the libnvdimm module, which is an encrypted_keys user, fails to load, but up until this change encrypted_keys did not have a hard dependency on TPM presence.
On Mon, Mar 18, 2019 at 03:35:08PM -0700, Dan Williams wrote: > On Wed, Feb 6, 2019 at 10:30 AM Roberto Sassu <roberto.sassu@huawei.com> wrote: > > > > When crypto agility support will be added to the TPM driver, users of the > > driver have to retrieve the allocated banks from chip->allocated_banks and > > use this information to prepare the array of tpm_digest structures to be > > passed to tpm_pcr_extend(). > > > > This patch retrieves a tpm_chip pointer from tpm_default_chip() so that the > > pointer can be used to prepare the array of tpm_digest structures. > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > > Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > > --- > > security/keys/trusted.c | 38 ++++++++++++++++++++++++-------------- > > 1 file changed, 24 insertions(+), 14 deletions(-) > > > > diff --git a/security/keys/trusted.c b/security/keys/trusted.c > > index 4d98f4f87236..5b852263eae1 100644 > > --- a/security/keys/trusted.c > > +++ b/security/keys/trusted.c > > @@ -34,6 +34,7 @@ > > > > static const char hmac_alg[] = "hmac(sha1)"; > > static const char hash_alg[] = "sha1"; > > +static struct tpm_chip *chip; > > > > struct sdesc { > > struct shash_desc shash; > > @@ -362,7 +363,7 @@ int trusted_tpm_send(unsigned char *cmd, size_t buflen) > > int rc; > > > > dump_tpm_buf(cmd); > > - rc = tpm_send(NULL, cmd, buflen); > > + rc = tpm_send(chip, cmd, buflen); > > dump_tpm_buf(cmd); > > if (rc > 0) > > /* Can't return positive return codes values to keyctl */ > > @@ -384,10 +385,10 @@ static int pcrlock(const int pcrnum) > > > > if (!capable(CAP_SYS_ADMIN)) > > return -EPERM; > > - ret = tpm_get_random(NULL, hash, SHA1_DIGEST_SIZE); > > + ret = tpm_get_random(chip, hash, SHA1_DIGEST_SIZE); > > if (ret != SHA1_DIGEST_SIZE) > > return ret; > > - return tpm_pcr_extend(NULL, pcrnum, hash) ? -EINVAL : 0; > > + return tpm_pcr_extend(chip, pcrnum, hash) ? -EINVAL : 0; > > } > > > > /* > > @@ -400,7 +401,7 @@ static int osap(struct tpm_buf *tb, struct osapsess *s, > > unsigned char ononce[TPM_NONCE_SIZE]; > > int ret; > > > > - ret = tpm_get_random(NULL, ononce, TPM_NONCE_SIZE); > > + ret = tpm_get_random(chip, ononce, TPM_NONCE_SIZE); > > if (ret != TPM_NONCE_SIZE) > > return ret; > > > > @@ -496,7 +497,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype, > > if (ret < 0) > > goto out; > > > > - ret = tpm_get_random(NULL, td->nonceodd, TPM_NONCE_SIZE); > > + ret = tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE); > > if (ret != TPM_NONCE_SIZE) > > goto out; > > ordinal = htonl(TPM_ORD_SEAL); > > @@ -606,7 +607,7 @@ static int tpm_unseal(struct tpm_buf *tb, > > > > ordinal = htonl(TPM_ORD_UNSEAL); > > keyhndl = htonl(SRKHANDLE); > > - ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE); > > + ret = tpm_get_random(chip, nonceodd, TPM_NONCE_SIZE); > > if (ret != TPM_NONCE_SIZE) { > > pr_info("trusted_key: tpm_get_random failed (%d)\n", ret); > > return ret; > > @@ -751,7 +752,7 @@ static int getoptions(char *c, struct trusted_key_payload *pay, > > int i; > > int tpm2; > > > > - tpm2 = tpm_is_tpm2(NULL); > > + tpm2 = tpm_is_tpm2(chip); > > if (tpm2 < 0) > > return tpm2; > > > > @@ -920,7 +921,7 @@ static struct trusted_key_options *trusted_options_alloc(void) > > struct trusted_key_options *options; > > int tpm2; > > > > - tpm2 = tpm_is_tpm2(NULL); > > + tpm2 = tpm_is_tpm2(chip); > > if (tpm2 < 0) > > return NULL; > > > > @@ -970,7 +971,7 @@ static int trusted_instantiate(struct key *key, > > size_t key_len; > > int tpm2; > > > > - tpm2 = tpm_is_tpm2(NULL); > > + tpm2 = tpm_is_tpm2(chip); > > if (tpm2 < 0) > > return tpm2; > > > > @@ -1011,7 +1012,7 @@ static int trusted_instantiate(struct key *key, > > switch (key_cmd) { > > case Opt_load: > > if (tpm2) > > - ret = tpm_unseal_trusted(NULL, payload, options); > > + ret = tpm_unseal_trusted(chip, payload, options); > > else > > ret = key_unseal(payload, options); > > dump_payload(payload); > > @@ -1021,13 +1022,13 @@ static int trusted_instantiate(struct key *key, > > break; > > case Opt_new: > > key_len = payload->key_len; > > - ret = tpm_get_random(NULL, payload->key, key_len); > > + ret = tpm_get_random(chip, payload->key, key_len); > > if (ret != key_len) { > > pr_info("trusted_key: key_create failed (%d)\n", ret); > > goto out; > > } > > if (tpm2) > > - ret = tpm_seal_trusted(NULL, payload, options); > > + ret = tpm_seal_trusted(chip, payload, options); > > else > > ret = key_seal(payload, options); > > if (ret < 0) > > @@ -1225,17 +1226,26 @@ static int __init init_trusted(void) > > { > > int ret; > > > > + chip = tpm_default_chip(); > > + if (!chip) > > + return -ENOENT; > > This change causes a regression loading the encrypted_keys module on > systems that don't have a tpm. > > Module init functions should not have hardware dependencies. > > The effect is that the libnvdimm module, which is an encrypted_keys > user, fails to load, but up until this change encrypted_keys did not > have a hard dependency on TPM presence. Sorry for the latency. I was in flu for couple of days. I missed that addition in the review process albeit this patch set went numerous rounds. Apologies about ths. Also the return value is wrong. Should be -ENODEV but it doesn't matter because this needs to be removed anyway. Roberto, can you submit a fix ASAP that: 1. Allows the module to initialize even if the chip is not found. 2. In the beginning of each function (before tpm_is_tpm2()) you should check if chip is NULL and return -ENODEV if it is. Add also these tags before your signed-off-by: Cc: stable@vger.kernel.org Fixes: 240730437deb ("KEYS: trusted: explicitly use tpm_chip structure from tpm_default_chip()") Reported-by: Dan Williams <dan.j.williams@gmail.com> Suggested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> /Jarkko
On 3/21/2019 2:15 PM, Jarkko Sakkinen wrote: > On Mon, Mar 18, 2019 at 03:35:08PM -0700, Dan Williams wrote: >> On Wed, Feb 6, 2019 at 10:30 AM Roberto Sassu <roberto.sassu@huawei.com> wrote: >>> >>> When crypto agility support will be added to the TPM driver, users of the >>> driver have to retrieve the allocated banks from chip->allocated_banks and >>> use this information to prepare the array of tpm_digest structures to be >>> passed to tpm_pcr_extend(). >>> >>> This patch retrieves a tpm_chip pointer from tpm_default_chip() so that the >>> pointer can be used to prepare the array of tpm_digest structures. >>> >>> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> >>> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> >>> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> >>> --- >>> security/keys/trusted.c | 38 ++++++++++++++++++++++++-------------- >>> 1 file changed, 24 insertions(+), 14 deletions(-) >>> >>> diff --git a/security/keys/trusted.c b/security/keys/trusted.c >>> index 4d98f4f87236..5b852263eae1 100644 >>> --- a/security/keys/trusted.c >>> +++ b/security/keys/trusted.c >>> @@ -34,6 +34,7 @@ >>> >>> static const char hmac_alg[] = "hmac(sha1)"; >>> static const char hash_alg[] = "sha1"; >>> +static struct tpm_chip *chip; >>> >>> struct sdesc { >>> struct shash_desc shash; >>> @@ -362,7 +363,7 @@ int trusted_tpm_send(unsigned char *cmd, size_t buflen) >>> int rc; >>> >>> dump_tpm_buf(cmd); >>> - rc = tpm_send(NULL, cmd, buflen); >>> + rc = tpm_send(chip, cmd, buflen); >>> dump_tpm_buf(cmd); >>> if (rc > 0) >>> /* Can't return positive return codes values to keyctl */ >>> @@ -384,10 +385,10 @@ static int pcrlock(const int pcrnum) >>> >>> if (!capable(CAP_SYS_ADMIN)) >>> return -EPERM; >>> - ret = tpm_get_random(NULL, hash, SHA1_DIGEST_SIZE); >>> + ret = tpm_get_random(chip, hash, SHA1_DIGEST_SIZE); >>> if (ret != SHA1_DIGEST_SIZE) >>> return ret; >>> - return tpm_pcr_extend(NULL, pcrnum, hash) ? -EINVAL : 0; >>> + return tpm_pcr_extend(chip, pcrnum, hash) ? -EINVAL : 0; >>> } >>> >>> /* >>> @@ -400,7 +401,7 @@ static int osap(struct tpm_buf *tb, struct osapsess *s, >>> unsigned char ononce[TPM_NONCE_SIZE]; >>> int ret; >>> >>> - ret = tpm_get_random(NULL, ononce, TPM_NONCE_SIZE); >>> + ret = tpm_get_random(chip, ononce, TPM_NONCE_SIZE); >>> if (ret != TPM_NONCE_SIZE) >>> return ret; >>> >>> @@ -496,7 +497,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype, >>> if (ret < 0) >>> goto out; >>> >>> - ret = tpm_get_random(NULL, td->nonceodd, TPM_NONCE_SIZE); >>> + ret = tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE); >>> if (ret != TPM_NONCE_SIZE) >>> goto out; >>> ordinal = htonl(TPM_ORD_SEAL); >>> @@ -606,7 +607,7 @@ static int tpm_unseal(struct tpm_buf *tb, >>> >>> ordinal = htonl(TPM_ORD_UNSEAL); >>> keyhndl = htonl(SRKHANDLE); >>> - ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE); >>> + ret = tpm_get_random(chip, nonceodd, TPM_NONCE_SIZE); >>> if (ret != TPM_NONCE_SIZE) { >>> pr_info("trusted_key: tpm_get_random failed (%d)\n", ret); >>> return ret; >>> @@ -751,7 +752,7 @@ static int getoptions(char *c, struct trusted_key_payload *pay, >>> int i; >>> int tpm2; >>> >>> - tpm2 = tpm_is_tpm2(NULL); >>> + tpm2 = tpm_is_tpm2(chip); >>> if (tpm2 < 0) >>> return tpm2; >>> >>> @@ -920,7 +921,7 @@ static struct trusted_key_options *trusted_options_alloc(void) >>> struct trusted_key_options *options; >>> int tpm2; >>> >>> - tpm2 = tpm_is_tpm2(NULL); >>> + tpm2 = tpm_is_tpm2(chip); >>> if (tpm2 < 0) >>> return NULL; >>> >>> @@ -970,7 +971,7 @@ static int trusted_instantiate(struct key *key, >>> size_t key_len; >>> int tpm2; >>> >>> - tpm2 = tpm_is_tpm2(NULL); >>> + tpm2 = tpm_is_tpm2(chip); >>> if (tpm2 < 0) >>> return tpm2; >>> >>> @@ -1011,7 +1012,7 @@ static int trusted_instantiate(struct key *key, >>> switch (key_cmd) { >>> case Opt_load: >>> if (tpm2) >>> - ret = tpm_unseal_trusted(NULL, payload, options); >>> + ret = tpm_unseal_trusted(chip, payload, options); >>> else >>> ret = key_unseal(payload, options); >>> dump_payload(payload); >>> @@ -1021,13 +1022,13 @@ static int trusted_instantiate(struct key *key, >>> break; >>> case Opt_new: >>> key_len = payload->key_len; >>> - ret = tpm_get_random(NULL, payload->key, key_len); >>> + ret = tpm_get_random(chip, payload->key, key_len); >>> if (ret != key_len) { >>> pr_info("trusted_key: key_create failed (%d)\n", ret); >>> goto out; >>> } >>> if (tpm2) >>> - ret = tpm_seal_trusted(NULL, payload, options); >>> + ret = tpm_seal_trusted(chip, payload, options); >>> else >>> ret = key_seal(payload, options); >>> if (ret < 0) >>> @@ -1225,17 +1226,26 @@ static int __init init_trusted(void) >>> { >>> int ret; >>> >>> + chip = tpm_default_chip(); >>> + if (!chip) >>> + return -ENOENT; >> >> This change causes a regression loading the encrypted_keys module on >> systems that don't have a tpm. >> >> Module init functions should not have hardware dependencies. >> >> The effect is that the libnvdimm module, which is an encrypted_keys >> user, fails to load, but up until this change encrypted_keys did not >> have a hard dependency on TPM presence. > > Sorry for the latency. I was in flu for couple of days. > > I missed that addition in the review process albeit this patch set > went numerous rounds. Apologies about ths. Also the return value is > wrong. Should be -ENODEV but it doesn't matter because this needs to > be removed anyway. > > Roberto, can you submit a fix ASAP that: Ok, I will do it now. Roberto > 1. Allows the module to initialize even if the chip is not found. > 2. In the beginning of each function (before tpm_is_tpm2()) you > should check if chip is NULL and return -ENODEV if it is. > > Add also these tags before your signed-off-by: > > Cc: stable@vger.kernel.org > Fixes: 240730437deb ("KEYS: trusted: explicitly use tpm_chip structure from tpm_default_chip()") > Reported-by: Dan Williams <dan.j.williams@gmail.com> > Suggested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > > /Jarkko >
diff --git a/security/keys/trusted.c b/security/keys/trusted.c index 4d98f4f87236..5b852263eae1 100644 --- a/security/keys/trusted.c +++ b/security/keys/trusted.c @@ -34,6 +34,7 @@ static const char hmac_alg[] = "hmac(sha1)"; static const char hash_alg[] = "sha1"; +static struct tpm_chip *chip; struct sdesc { struct shash_desc shash; @@ -362,7 +363,7 @@ int trusted_tpm_send(unsigned char *cmd, size_t buflen) int rc; dump_tpm_buf(cmd); - rc = tpm_send(NULL, cmd, buflen); + rc = tpm_send(chip, cmd, buflen); dump_tpm_buf(cmd); if (rc > 0) /* Can't return positive return codes values to keyctl */ @@ -384,10 +385,10 @@ static int pcrlock(const int pcrnum) if (!capable(CAP_SYS_ADMIN)) return -EPERM; - ret = tpm_get_random(NULL, hash, SHA1_DIGEST_SIZE); + ret = tpm_get_random(chip, hash, SHA1_DIGEST_SIZE); if (ret != SHA1_DIGEST_SIZE) return ret; - return tpm_pcr_extend(NULL, pcrnum, hash) ? -EINVAL : 0; + return tpm_pcr_extend(chip, pcrnum, hash) ? -EINVAL : 0; } /* @@ -400,7 +401,7 @@ static int osap(struct tpm_buf *tb, struct osapsess *s, unsigned char ononce[TPM_NONCE_SIZE]; int ret; - ret = tpm_get_random(NULL, ononce, TPM_NONCE_SIZE); + ret = tpm_get_random(chip, ononce, TPM_NONCE_SIZE); if (ret != TPM_NONCE_SIZE) return ret; @@ -496,7 +497,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype, if (ret < 0) goto out; - ret = tpm_get_random(NULL, td->nonceodd, TPM_NONCE_SIZE); + ret = tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE); if (ret != TPM_NONCE_SIZE) goto out; ordinal = htonl(TPM_ORD_SEAL); @@ -606,7 +607,7 @@ static int tpm_unseal(struct tpm_buf *tb, ordinal = htonl(TPM_ORD_UNSEAL); keyhndl = htonl(SRKHANDLE); - ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE); + ret = tpm_get_random(chip, nonceodd, TPM_NONCE_SIZE); if (ret != TPM_NONCE_SIZE) { pr_info("trusted_key: tpm_get_random failed (%d)\n", ret); return ret; @@ -751,7 +752,7 @@ static int getoptions(char *c, struct trusted_key_payload *pay, int i; int tpm2; - tpm2 = tpm_is_tpm2(NULL); + tpm2 = tpm_is_tpm2(chip); if (tpm2 < 0) return tpm2; @@ -920,7 +921,7 @@ static struct trusted_key_options *trusted_options_alloc(void) struct trusted_key_options *options; int tpm2; - tpm2 = tpm_is_tpm2(NULL); + tpm2 = tpm_is_tpm2(chip); if (tpm2 < 0) return NULL; @@ -970,7 +971,7 @@ static int trusted_instantiate(struct key *key, size_t key_len; int tpm2; - tpm2 = tpm_is_tpm2(NULL); + tpm2 = tpm_is_tpm2(chip); if (tpm2 < 0) return tpm2; @@ -1011,7 +1012,7 @@ static int trusted_instantiate(struct key *key, switch (key_cmd) { case Opt_load: if (tpm2) - ret = tpm_unseal_trusted(NULL, payload, options); + ret = tpm_unseal_trusted(chip, payload, options); else ret = key_unseal(payload, options); dump_payload(payload); @@ -1021,13 +1022,13 @@ static int trusted_instantiate(struct key *key, break; case Opt_new: key_len = payload->key_len; - ret = tpm_get_random(NULL, payload->key, key_len); + ret = tpm_get_random(chip, payload->key, key_len); if (ret != key_len) { pr_info("trusted_key: key_create failed (%d)\n", ret); goto out; } if (tpm2) - ret = tpm_seal_trusted(NULL, payload, options); + ret = tpm_seal_trusted(chip, payload, options); else ret = key_seal(payload, options); if (ret < 0) @@ -1225,17 +1226,26 @@ static int __init init_trusted(void) { int ret; + chip = tpm_default_chip(); + if (!chip) + return -ENOENT; ret = trusted_shash_alloc(); if (ret < 0) - return ret; + goto err_put; ret = register_key_type(&key_type_trusted); if (ret < 0) - trusted_shash_release(); + goto err_release; + return 0; +err_release: + trusted_shash_release(); +err_put: + put_device(&chip->dev); return ret; } static void __exit cleanup_trusted(void) { + put_device(&chip->dev); trusted_shash_release(); unregister_key_type(&key_type_trusted); }